November 22, 2010

Why do health plans and providers refuse to secure sensitive data when encrypting it costs nothing at all?

According to a study out of HHS that tracks healthcare data breaches, laptop computer theft was the most prevalent cause of data theft, involved in 24% of breaches. Desktop computers accounted for 16% of the breaches. Physical security is cited as an issue; had computers been kept behind locked doors, fewer would have been stolen. But that's just silly. You can't be locking and unlocking office doors all day long, and keeping a laptop in a locked room is sort of not the whole point of a portable computer.

So, why wasn't the data encrypted? "Ah," you say, "Let me explain our reasons: (1) encryption isn't really secure, (2) it costs money and wastes my time, (3) difficult to administer in an organization, and (4) I could be forced to type in my password at gunpoint."

Well, (1), wrong. Encryption is really secure; the chances of anyone being able to break modern layered encryption are somewhere between zero and non-existent* (except for pure random chance, unfortunately, like when they guess your password is hGRw5k9oBn28, or Let's1andallGo(straight)2Shaneequah'sHouse). Despite what the movies would have you believe, random strings and big long phrases with numbers and punctuation are easy to remember, but astronomically difficult to guess, even using brute force cracking software. ILoveMyCat isn't.

And, (2), wrong. Once setup on a laptop, an "encrypted volume" is just like another hard drive, and to use data on it you simply type in a password. No wasted time (oh, well, alright, however long it takes you to type in a handful of characters -- how bad are your keyboarding skills?).

And, (3), wrong. Are you just OK with losing my data, or is work too hard for you? And that old saw about not being able to administer open source software is inapplicable. Who cares if an admin can tweak and fiddle with the copies of copies of copies of redundantly off-site backed-up data that some lower-down has on his laptop?

And, (4), wrong again. The fear of being held at gunpoint while you type in a password for a file your attacker can see on your computer is simply a waste of good adrenaline. Modern encryption software provides full deniability, such that even the sensitive files themselves are invisible; which is to say, they are hidden encrypted inside another file, one that opens to reveal some non-sensitive content when you use one password, and the sensitive stuff when you use another password. Unless the attacker can see inside your head, he doesn't know the data is even there.

And it's free. Yup. Free, open source, downloadable, and you can have it on your laptop and running beautifully in minutes. We don't have any connection with the product, but we've been using it for years. It's called TrueCrypt. Setup took all of 15 minutes. Five years ago. If you don't use it and you lose my healthcare data, I'm going to be really ticked.

Okay, end of rant. Until the next stupid data breach.

*Alright, let's just say that the odds against are so unfavorable that even the most seasoned hackers won't take the bet.